Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, allowing an unauthenticated network attacker to fully compromise confidentiality, integrity, and availability of the application. Oracle rates this as difficult to exploit (AC:H) but assigns a CVSS 3.1 score of 8.1 due to the complete takeover impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.
Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attackers reaching the Siebel Cloud Manager component over HTTP, though Oracle classifies exploitation as difficult (AC:H). Successful attacks yield high impact across confidentiality, integrity, and availability - effectively complete compromise of the CRM tenant. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.
Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to perform Git Smart HTTP clone, fetch, and push operations on private repositories without holding the required read:repository or write:repository token scopes. The flaw stems from CheckRepoScopedToken() short-circuiting unless ctx.IsBasicAuth is true, while the same route accepts Bearer authentication. No public exploit identified at time of analysis beyond the reporter's PoC test in the GHSA advisory.
Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.
Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.
Authentication header injection in Caddy versions prior to 2.11.4 allows remote attackers with low privileges to bypass forward_auth identity protections and inject or override trusted HTTP_REMOTE_* CGI variables in downstream PHP/FastCGI applications. The flaw arises because forward_auth's copy_headers directive performs exact-name deletion of client-supplied headers (e.g., Remote-Groups), while the php_fastcgi module later normalizes hyphens to underscores when exporting CGI variables, allowing an underscore alias like Remote_Groups to survive and collide with the trusted variable. Publicly available exploit code exists via the vendor GHSA advisory PoC, though no public exploit identified at time of analysis indicates active exploitation in the wild.
Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.
Memory corruption in Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity via a crafted web page that triggers a buffer-related memory safety flaw. The issue also affects Firefox ESR before 140.12 and 115.37 and requires user interaction (e.g., visiting a malicious site). No public exploit identified at time of analysis and EPSS is low (0.16%), but SSVC rates technical impact as total.
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.
Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.
Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.
Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).
Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.
Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.
PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.
PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.
Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.
Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.
Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.
Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.
Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.
Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.
Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inject crafted serialized objects that, when combined with suitable gadget chains, can lead to high-impact compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available; no public exploit identified at time of analysis, but the unauthenticated network vector makes this a meaningful priority for sites running this commercial WooCommerce theme.
Unauthenticated PHP Object Injection in the EmallShop WordPress theme (versions <= 2.4.21) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application, potentially leading to remote code execution, data tampering, or denial of service when a suitable gadget chain is present. The flaw was disclosed by Patchstack (EUVD-2026-37470) and carries CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis and not listed in CISA KEV.
Unauthenticated local file inclusion in Softlab Core WordPress plugin versions before 1.2.11 allows remote attackers to read or include arbitrary local files on the server, potentially leading to sensitive information disclosure or remote code execution if attacker-controlled content can be reached. The flaw is reported by Patchstack and tagged as PHP/LFI affecting the WebGeniusLab Softlab Core plugin used in WordPress deployments. No public exploit identified at time of analysis, though the unauthenticated nature and high CVSS impact warrant prompt patching.
Unauthenticated Local File Inclusion in the Integrio Core WordPress plugin (versions prior to 1.2.8) by webgeniuslab allows remote attackers to coerce the PHP application into including arbitrary local files, leading to source code disclosure, sensitive file exposure, and potentially remote code execution when log poisoning or upload primitives are available. The CVSS vector (AV:N/AC:H/PR:N/UI:N) reflects network-reachable, unauthenticated exploitation with high attack complexity, and no public exploit identified at time of analysis. The flaw is tracked by Patchstack and ENISA EUVD (EUVD-2026-37466) with a vendor-released patch in version 1.2.8.
Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.
Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).
Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.
Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).
Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.
Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.